Business leaders often think of cybersecurity in terms of technology and risk, investing heavily in the tech, but entirely overlook the human side of it, which is actually the top cybersecurity risk for many organizations. Relegating cybersecurity measures to IT misses a crucial element needed to safeguard organizations from the blizzard of digital threats growing every day: culture.
What is a culture of security?
Culture is always about mindset. A culture of security is about how strong, accountable and resilient the entire organization is against cyberthreats from a human standpoint. It is about infusing and empowering a "human firewall" against digital attacks.
Elements of a culture of security
A cybersecurity culture is one that spans the entire organization -- across teams, processes, metrics and tools. Incorporating the following attributes and best practices throughout an organization is one of the greatest challenges facing security leaders, but doing so has never been more essential.
Support among leadership is paramount to a security culture. First, the behavioral and financial investments begin among senior leadership. Terms and specifics may be established by the CISO, but executives and senior management across all teams are responsible for setting precedent and defining the strategic context for what secure looks like in their departments. Leaders also have personal interest here, as they are common targets for attackers.
2. Cross-functional liaisons
Given the diversity of threats, endpoints and vulnerabilities in every company, part of sustaining a culture of security includes a multidisciplinary taskforce. This group should be dedicated to the following:
- identifying risks and opportunities;
- bridging security priorities across different groups, such as IT/operational technology or sales and support;
- analyzing areas of redundancy in tools and vendor products; and
- developing specific safeguards to be deployed across business functions, teams and products.
The group of cross-functional liaisons is also instrumental in identifying cultural barriers to a secure mindset and best practices. For example, United Airlines developed an awareness and education team dedicated to embedding security into the DNA of the company across all its operations. "Cyber ambassadors" and "friends of security" were elected across the various teams to watch for security issues in their respective departments. Having the perspectives of both subject matter experts and general associates, such as United Airlines has, is critical to making sure the whole organization is fortified.
Building awareness within organizations is half the battle of mitigating cyberthreats -- especially because social engineering and human error account for the majority of penetrations. Security and IT teams should design educational curricula beyond PowerPoints, password tips and annual pass-fail exams. Develop the context for employees, being transparent about the risks, implications and cascading effects of bad security hygiene. Illustrate threat landscapes not only across proprietary assets, but third-party vendors and remote working tools too. Trainings, which should be ongoing and easy to grasp, should include the following:
- real-life examples, updated for the times;
- how-tos -- for example, how to spot suspicious behavior, report an issue and contain threats;
- feedback mechanisms to improve the culture around security, processes and tools; and
- opportunities for skills development, such as becoming a "cyber ambassador."
4. Employee relevance
While the need is universal, building awareness and educating employees is not one size fits all. It is crucial employees understand their specific responsibilities and how their roles and behaviors can help or hinder the overall security structure of an organization. This includes developing cybersecurity procedures that integrate into employees' daily work routines and procedures, rather than asking for cumbersome or radical behavioral changes. Consider using learning tools and training styles to personalize content. Integrate scenarios that will resonate, such as steps to take before releasing code for developers; pertinent issue resolutions for support teams; and areas that exceed industry standards for sales.
5. Attitudes and behaviors
The culture of an organization is about how people feel, which includes beliefs, assumptions and general engagement with the company and its perceived values. Part of this is about making employees feel comfortable -- not stupid -- if they make a mistake and confident -- not panicked -- when an incident occurs. Simply put, employees should feel positive about contributing to the company's cybersecurity resilience.
Finning International, a distributor of heavy machinery, hired psychologists to better understand how people learn about security in relatable ways. The company offered various training modalities to support different learning styles -- for example, by using gamification, short videos and face-to-face discussions. The company's communications team also tailored content for employees across different geographies and languages.
An often-overlooked part of a cybersecurity culture includes working outside a company's four walls. Counterintuitively, digital threats require a cultural embrace of opening up. For example, sharing threat analytics across competitive stakeholders, using open source code or models, and incorporating audits and accountability metrics into procurement and partnerships can all help improve security.
Rockwell Automation has a group dedicated to information sharing around security issues, which includes strategic customers across various sectors to incorporate outside-in perspectives. Not only is this valuable to the company's own security culture, but it is also a direct line to product innovation in the name of security.
Metrics are often associated with hard stats in security, but they also play an important role in the company's broader culture. Metrics are key to monitor the effectiveness and overall value of training. Incorporating gamification, competitions or quick tests into security training and post-training, for example, is useful to monitor which modules resonated and what concrete knowledge and behaviors stuck. They are also important for articulating the value proposition to leadership for continued investment, as well as for employees to build upon progress made. For example, security and IT teams could try tying metrics to productivity enhancements, employee incentives, opportunities to learn new skills and the like.
A strong security posture requires a strong foundation
A recent Forbes Insights survey of more than 200 CISOs found organizations with a siloed approach to security experience more negative effects than those with enterprise-wide strategic approaches. The following costs of focusing only on downstream tactics are significant and only growing:
- costs of breach (revenue loss, downtime, reputation);
- massive influx of incidents in recent years;
- sophisticated tactics, powered by emerging technologies;
- major lack of security talent;
- leaders as targets; and
- frontline employees as targets.
With the foundation of the seven elements covered here, a security culture in the workplace is the upstream line of defense to an ever-expanding array of downstream attacks.